2 comments:

Hi Steve,I'm currently working on fuzzing a old, buggy FTP server and through some research I discovered a buffer overflow vuln on the second argument of a particular command. What I cannot figure out is how to configure spike to send a fuzz string to the second argument only (send a static, fixed length variable for the first argument, then send fuzz data to the second argument). The arguments are separated by a space, is there a way to set a constant for the first argument, append a space and fuzz everything after the constant & space? I believe the option may be available by using "s_string_variables" and SKIPVAR as mentioned in your articles, or possibly some proper spike scripting on my part but I've never reconfigured Spike this way. Any help is greatly appreciated!

s_string will set a static string value, so if you were fuzzing for string style inputs on the second parameter of the BLAH command, which was carriage return line feed terminated, and you wanted a static first parameter of "param1" you could do something like:

The fuzz parameter would start with an initial value of "param2" then would iterate through fuzz strings. I haven't tested that, so I make no guarantees about whether it will work exactly as written, but it should be more or less correct.

The best way to understand this however is to use wireshark to watch your traffic and see how changes to your script affect the traffic sent on the network. Trial and error.

While SPIKE is an excellent fuzzer for understanding the concepts of fuzzing, there are a number of better fuzzers available now too.... such as Sulley, which you might want to look at.